This blog is based on an article from The Independent. You can find the original article here.
TL;DR
- The UK government’s consultation on age-gating VPNs isn’t just a consumer privacy story. It creates real ambiguity for enterprise security teams who rely on VPN infrastructure for remote workforce access, third-party vendor connectivity, and OT/IT network segmentation.
- Expel’s 2026 Annual Threat Report found that 68.6% of incidents involved identity-based attacks, many targeting remote access infrastructure directly, including logins through unauthorized VPN applications and proxy-routed credential stuffing attempts.
- Security teams shouldn’t wait for Whitehall to decide: auditing VPN client visibility, tightening third-party access controls, and enforcing phishing-resistant MFA on remote access entry points are steps worth taking now, regardless of what the consultation concludes.
As Pierre Noel, EMEA Field CISO at Expel, noted in The Independent recently, VPNs are “adept at masking themselves as standard web communications,” which is precisely why it will be “challenging for the UK government to determine whether a connection is from a ‘legit’ originator or a minor trying to bypass age-verification controls.”
That observation was made in the context of the UK government’s public consultation on digital safety, launched March 2 by the Department for Science, Innovation and Technology. The consultation asks whether VPN access should be age-restricted as part of a broader push to strengthen online safety guardrails after a surge in VPN downloads followed the introduction of mandatory age checks for adult content sites.
Fair enough as a policy debate. But enterprise security teams shouldn’t be watching this from the sidelines. Because the same VPN infrastructure that regulators want to restrict is the infrastructure that underpins how your remote workforce connects, how your third-party vendors access your systems, and how your OT and IT networks stay segmented. And the threat picture around all three of those use cases is getting worse, not better.
The policy debate will move slowly, but the threat landscape won’t wait
The government’s consultation runs until May 26, 2026. Then there will be a review. Then, potentially, further action. That timeline is fine for policymakers. It is not a reason for security teams to defer their own thinking.
The practical reality is this: any regulatory move to restrict VPN access—even if targeted at consumer services—creates ambiguity in enterprise environments. Which providers are in scope? What happens to employees using personal VPN clients on corporate devices? How does this interact with zero trust architectures that rely on VPN tunnels for certain legacy applications? These aren’t hypotheticals. They’re questions UK-based security teams and their legal and compliance colleagues should be working through now.
There is also a more immediate risk. Regulatory uncertainty creates operational distraction. And when security teams are distracted by policy noise, adversaries move faster.
What we think will happen with remote access
The Expel SOC triaged nearly one million alerts across its customer base in 2025. The findings from Expel’s 2026 Annual Threat Report are instructive here, and directly relevant to the VPN policy debate.
Identity is the primary attack surface and remote access is a key entry point. Identity-based attacks accounted for 68.6% of all incidents Expel analysts investigated in 2025. Many of those attacks targeted remote access infrastructure directly. Among the most frequently flagged behaviors: logins through TOR nodes or unauthorized VPN applications, connections from suspicious geographic locations, and attempts to connect from known phishing infrastructure. In other words, threat actors are already weaponizing the ambiguity in remote access controls, and the gap between “legitimate VPN” and “attacker-controlled proxy” is where they operate.
When access controls fail, the damage is fast. Of the identity incidents where attackers used stolen credentials, 47.7% resulted in access being granted. Expel analysts observed that once initial access was achieved, attackers moved quickly—registering new MFA devices, searching mailboxes, and pivoting to cloud storage and SaaS applications. Expel’s SOC’s current mean time to respond (MTTR) for high and critical incidents with auto remediation enabled is 13 minutes. The implication: the gap between detection and response is where the damage happens, and remote access is a primary initial access vector.
Attackers are also adapting to bypass the controls organizations think are working. Expel analysts noted that when conditional access policies block an attacker based on geolocation, the actor’s next move is often to route through a VPN or proxy to change their apparent location and try again. This is the same cat-and-mouse dynamic that cybersecurity experts predict will play out if the UK government attempts technical VPN blocking—and it’s already happening in enterprise environments today.
Three questions UK security teams should be asking right now
1. Do you have full visibility into which VPN clients are running in your environment?
Many organizations have approved VPN infrastructure at the perimeter but limited visibility into personal VPN clients installed on employee devices. Expel analysts flagged logins from unauthorized VPN applications as one of the key indicators of suspicious identity activity in 2025. If your conditional access policies can’t distinguish between an approved corporate VPN and a consumer privacy tool, that’s a detection gap worth closing, regardless of what Whitehall decides.
2. How are third-party vendors and contractors accessing your network?
Third-party access is one of the highest-risk segments of enterprise remote connectivity. Vendors often operate outside your device management perimeter, may use their own VPN clients, and are unlikely to be subject to the same conditional access policies as full-time employees. Expel’s 2026 Annual Threat Report highlights third-party identity risks as a persistent concern for CISOs—and any policy shift around VPN access could affect how vendors authenticate into UK-based enterprise environments.
3. Is your OT/IT network segmentation dependent on VPN tunnels for control plane access?
For organizations in manufacturing, critical infrastructure, and healthcare—the three industries that saw the highest incident volumes in Expel’s 2025 data—VPNs often play a role in maintaining separation between operational technology and IT networks. Regulatory changes that affect VPN provider availability or compliance posture could have unintended consequences for segmentation architectures that haven’t been revisited in years.
What security teams should be doing now
The policy consultation will play out on its own timeline. But the operational steps that reduce remote access risk are the same regardless of what the government decides, and they’re worth doing now.
Expel analysts recommend the following as foundational controls:
- Enforce conditional access policies that require managed devices for high-value accounts. This is the single most effective control for preventing unauthorized remote access using stolen credentials. Organizations with policies requiring authentication from trusted devices were the most likely to prevent access in the identity incidents Expel’s SOC investigated in 2025.
- Treat blocked login attempts from VPN or proxy infrastructure as incidents, not noise. A blocked login still means credentials have been compromised. The attacker may change their routing and try again within minutes. These events warrant investigation, not just logging.
Audit your remote access footprint for over-privileged accounts and legacy VPN configurations. Expel’s SOC red team data from 2025 found that 62% of all red team engagements focused on access management. This includes things like identifying over-privileged accounts, and the same dynamic exists in VPN and remote access configurations that haven’t been reviewed since initial deployment.
The UK government’s VPN consultation is framed as a child safety measure. That framing will dominate the headlines. But the enterprise security implications are real, and they don’t wait for the consultation to close.
Expel’s 2026 Annual Threat Report makes clear that remote access infrastructure is not a background concern. It’s one of the primary surfaces through which attackers are achieving initial access today. Security teams that treat this policy debate as somebody else’s problem are misreading the risk.
The question isn’t whether UK regulators will restrict VPNs. It’s whether your organization’s remote access controls are strong enough that it wouldn’t matter either way.
